dotenv pull to SecretStorage / memory (do not persist secrets on disk)

[ohadschn]

dotenv pull pulls an unencrypted .env file to the local file system.

While this file could be git-ignored, it would still contain secrets in plaintext sitting on the file system. This can make sense on production systems or CI agents, but it is not a secure practice for development machines (which can far more easily be compromised).

Instead, I suggest something similar to https://github.com/pomdtr/vscode-secrets:

1. The secrets are pulled but instead of being saved to a file, they would either be kept in memory or stored securely on the local OS using https://code.visualstudio.com/api/references/vscode-api#SecretStorage (which under the covers uses keyring / keychain / DPAPI).
2. Before any project/application is launched, the secrets are loaded from memory / OS secure store, and then injected as environment variables to the process.

You could still maintain some "virtual" .env file where secrets can be browsed by the user ,but the key point would be that at no point that information is actually saved in plaintext on the hard drive.